EU agrees to tougher sanctions against cyber crime

European Union countries have agreed to tougher sentences against cyber attacks and created a cyber-crime unit to be attached to Europol, the continent-wide police agency.

Under the new rules, being part of an organised crime group involved in a cyber attack against a critical IT system or causing serious damage via a botnet carries a maximum prison term of at least five years. The penalties for creating a botnet for mounting cyber attacks are up to three years in prison. General cyber crime carries a prison term of at least two years.

The rules are still to be ratified by the European Parliament. If enacted, they would retain most of the provisions currently in place which make illegal access, illegal system interference and illegal data interference all criminal acts. Instigation, aiding, abetting and attempt to commit those criminal offences are also covered.

New offences include producing and making available malicious software designed to create botnets or unrightfully obtain computer passwords for committing the offences. Illegal interception of computer data will also become a criminal offence.

“These new forms of aggravating circumstances are intended to address the emerging threats posed by large-scale cyber attacks, which are increasingly reported across Europe and have the potential to severely damage public interests,” said an EU statement announcing the changes.

The rules also aim to improve co-operation among EU countries, with measures such as strengthening the existing structure of contact points, as well as an obligation to provide feedback within eight hours to urgent requests.

Member states will also be obliged to collect basic statistical data on cyber crimes. This is an interesting addition, given a paper published last week by Microsoft security researchers, which questions the accuracy of cyber crime surveys, saying the estimated value of losses tend to be flawed and unreliable.

The new rules update the existing legislation enacted in 2005 and build on the Council of Europe’s Convention on Cybercrime, also known as the Budapest Convention. They come against a backdrop of increased reports of cyber attacks targeting a wide range of organisations, from the IMF and Citigroup to Google, RSA and Sony.